Tax-themed phishing and malware attacks proliferate during the tax filing season

Modern social engineering attacks use non-portable executable (PE) files like malicious scripts and macro-laced documents. Every month, Windows Defender AV detects non-PE threats on over 10 million machines.

Tax-themed scams and social engineering attacks are as certain as (death or) tax itself. Every year we see these attacks, and 2017 is no different.

These attacks circulate year-round as cybercriminals take advantage of the different country and region tax schedules, but they peak in the months leading to U.S. Tax Day in mid-April. The U.S. Internal Revenue Service last week warned of last-minute email scams.

Cybercriminals are using a variety of social engineering tactics related to different scenarios associated with tax filing, in order to get you to click links or open malicious attachments.

Here are some recent examples we’ve seen. The best defense is awareness: no matter what stage you are in your tax filing and wherever you are in the world, don’t fall for these social engineering attacks.

Tax refund: “You are eligible!”

An enticing bait attackers use says that you’re eligible for a refund. We’re seeing several phishing campaigns targeting taxpayers in the United Kingdom, where tax filing season ended in January. These attacks are targeting people who might be waiting for information about their tax refund.

These kinds of phishing emails pretend to come from HM Revenue and Customs, the tax collection body in the UK. These mails vary in how legitimate they appear, but in all cases the attackers want you to click a link in the mail. The link points to a phishing page that will ask for sensitive information.

If your default browser is Microsoft Edge, Microsoft SmartScreen will automatically block access to these phishing sites. Internet Explorer also includes Microsoft SmartScreen.

Tax filed: “Payment has been debited from your account”

Another cybercriminal tactic is to pretend to deliver a receipt for taxes filed. A recent example is a malicious email with the subject “Rs. 73,250 TDS Payment Has Been Debited from your Account”. TDS refers to Tax Deducted at Source, which is the method of collecting tax in India.

The message body says, “Kindly download and view your receipt below attached to this email.” The attachment plays the part and bears the name Income Tax Receipt.zip.

Inside the .zip is the file Income Tax Receipt.scr, which is really a banking Trojan detected by Windows Defender Antivirus as TrojanSpy:Win32/Bancos.XN.

The payload Trojan is part of a family of keyloggers. When it runs, it logs all keystrokes and sends these to an attacker. From the keystrokes, an attacker can then collect sensitive info like user names and passwords for online banking, email, social media, and other online accounts.

SHA1: 89c5248a989c79fdff943c7c896aeaee4175730d

Tax overdue: “Info on your debt and overdue payments”

Some tactics are more threatening. One example accuses the recipient of having overdue tax.

This threat can cause the recipient to panic and click a link in the email without thinking things through. We monitored an attack that targets taxpayers in the US and accused recipients of overdue tax and that action needed to be taken immediately. The link in the email is, of course, a phishing page.

Again, Microsoft SmartScreen blocks access to this phishing page.

Tax evasion: “Subpoena from IRS”

Some attacks use fear as bait. One such bait tells recipients that there’s pending law enforcement action against them. We saw an example of this sent to U.S. taxpayers. It pretends to contain information about a subpoena, asking “What should we do regarding the subpoena from IRS?”

The attachment is a document file that Microsoft Word opens in Protected View. The attackers expected this, so the document contains an instruction to Enable Editing.

Zdowbot is a family of Trojan downloaders. They connect to a remote host and wait for commands. In addition to downloading and installing other malware, they can send information about your PC to a remote attacker.

SHA1:7a46f903850e719420ee19dd189418467cb8af40

Tax preparation: “I need a CPA”

Some attacks are relevant during the early part of the tax filing process. We saw an attack this year that targets accountants in the U.S., given the timing and the information in the email referencing the IRS.

The attack pretends to be coming from somebody seeking the services of a CPA. It includes an attachment named tax-infor.doc.

The attachment is a document with malicious macro code. Macros should be disabled by default (as is the best practice). When the attachment opens, Microsoft Word issues a warning. To encourage you to enable macros, the document displays a fake message box that says “Please enable Editing and Content to see this document”. The fake message box is designed to look like it’s part of Microsoft Word, but it’s really part of the document itself.

If you fall for the ruse and enable macros, then the malicious macro downloads the malware TrojanSpy:MSIL/Omaneat from hxxp://193[.]150[.]13[.]140/1.exe.

Omaneat is a family of info-stealing malware. These threats can log keystrokes, monitor the applications you open, and track your web browsing history.

SHA1: ffc06b87eed545df632b61b2a32ef36216eb697d

How to stay safe from social engineering attacks

Tax-themed malware and phishing attacks highlight an important truth: most cybercrime is after your hard-earned money.

But these attacks rely on social engineering tactics — you can detect them if you know what to look for. Be aware, be savvy, and be cautious in opening suspicious emails. Even if the emails came from someone you know, be wary about opening the attachment or click on links. Some malicious emails may be spoofing the sender.

The built-in security technologies in Windows 10 can help protect you from these attacks. Keep your computers up-to-date.